Groups from Cyclic Infrastructures and Pohlig-Hellman in Certain Infrastructures

GR OUPS FR OM CYCLIC INFRASTR UCTURES AND POHLIG-HELLMAN IN CER T AIN INFRASTR UCTURES Felix F ontein Institut f ¨ ur Mathematik Unive rsit¨ at Z¨ ur ic h CH-8057, Switzerland felix.fontein@math.uzh .ch Abstract. In discrete logarithm based cryptograph y , a method by P ohlig and Hellman allows solving the discrete logarithm problem efficien tly if the group order is known and has no large prime factors. The consequenc e is that such groups are av oided. In the past, there ha v e b een prop osals for cryptograph y based on cyclic infrastructures. W e will s how that the Pohlig-Hellman method can be adapted to certain cyclic infrastructures, whi c h similarly impl i es that certain i nfrastructures should not b e used for cryptograph y . This generalizes a result by M ¨ ull er, V anstone and Zucc herato f or infrastructures obtained from h yper elliptic f unction fields. W e recall the Pohlig-Hellman metho d, define the concept of a cyclic infras- tructure and briefly describe how to obtain such infrastructures from certain function fields of unit r ank one. Then, we describ e ho w to obtain cyclic groups from discrete cyclic infrastructures and ho w to apply the Poh lig-Hell man met h- od to compute absolute distances, which is in general a computationally hard problem for cyclic inf rastructures. Moreov er, we give an algorithm whic h al- lows to test whether an infrastructure satisfies certain requirements needed for applying the Pohlig-Hellman method, and dis cuss whether the Pohlig-Hellman method is applicable in inf rastructures obtained from n umber fields. Finally , we discuss how this influences cryptograph y based on cyclic i nfrastructures. 1. Introduction Since the adven t of cryptographic proto cols such as the Diffie-Hellman k ey ex- change pr oto col and ElGamal encryption, the security of many cryptogra phic pro- to cols is based on the hardness of the discr ete lo garithm p r oblem : given h , a n ele- men t of a finite cyclic group h g i , find an in teger n ∈ N suc h that g n = h . In 1 978, S. C. Pohlig and M. E. Hellman [20 ] pr esented a n algorithm which allows to quickly solve the discrete logar ithm problem in a finite cy c lic group if the group order | G | has a k nown factor iz ation in to a pro duct of relatively small primes (see Section 4 for more details). Since then, one prefers to us e groups of (almo st) prime o rder or groups whose or der has at least one large prime fa c tor for discrete loga rithm ba s ed cryptogr a phy , to a void this kind of attack. In 199 0, R. Scheidler, J. A. Buchmann a nd H. C. Williams descr ibed a key exchange [5, 23], which was not based on cyclic gr oups but o n a structure fir st 1991 Mathematics Subje ct Classific ation. Pr imary: 94A60, 14Q05; Secondary: 11Y99, 14G50 , 14H45. Key wor ds and phr ases. Infrastructures, Pohlig-Hellman, f unction fields, cryptograph y . This work has b een supp orted in part by the Swiss National Science F oundation under grant no. 107887. 1 2 FELIX FONTEIN int ro duced by D. Shanks in 1972 [2 8], called the infr astru ctur e of a real quadratic nu mber field. This structure be haves simila r to finite cy clic groups, with the main difference that the op eration corr espo nding to multiplication is not ass o ciative. This structure w as generalized fro m real quadratic n umber fields to a rbitrary num be r fields of unit rank one [6], and also to r eal quadratic function fields [33, 30, 3 2] and more general function fields [25, 22]. Mor eov er , the k ey exchange proto col for infrastructures was refined [13, 12] a nd extended to r eal quadratic function fields [26, 1 0]. The security of these pr o to cols is mostly based o n the fact that computing distances in infrastructures in general is a ssumed to be har d. As the problem of computing distances in infr astructures is related (see Section 5) to the problem o f computing discrete logar ithms in finite c yclic groups, one has to ask the question whether the idea of P o hlig-Hellman can b e applied in this setting. In 199 8, V. M¨ uller, S. V a nstone and R. Z uc cherato [18] answered this ques- tion p ositively in the case of infr astructures obta ine d from real quadratic function fields o f characteristic 2 . W e will genera lize this to obtain a pos itiv e answer for a mor e genera l class of infrastructures, which includes all infr a structures obtained from function fields. Then, we will a rgue why this is pro ba bly not po s sible for infrastructures obtained fro m n umber fields, at lea st without further input. In Sectio n 2, we will define the concept of a cyclic infrastr ucture and show how such infrastructures can b e obta ined fro m cer tain global function fields with tw o infinite places. After that, in Section 3, w e will show how to obtain cyclic groups from such infrastructur es and how to efficiently compute in them, assuming that one can efficiently compute in the underlying infrastructure. In Section 4, we will recall how the Pohlig-Hellman method works, and in Sectio n 5 we will show ho w Pohlig-Hellman can b e applied in the case of discrete cyclic infr a structures. Then, in Sectio n 6 we will des crib e a n algo rithm to test whether the main re q uirement of the Pohlig-Hellman metho d, namely tha t the g roup or der is smo oth, is sa tisfied. Finally , in Section 7, we will discuss the num b er field cas e, and in Section 8, we will explain the consequences for c yclic infrastructure ba s ed cryptogra ph y . 2. Cyclic infrastr uctures In this section, we define an abstract version of a cyclic infrastructur e . This defi- nition, including the description of baby steps and giant s teps, is based on the inter- pretation of Shanks’ infrastructur e in co n text of a ‘circle gr oup’ by H. W. Lenstra [15], even thoug h he uses a different distance function. Roughly s p ea k ing, a cyclic infrastruc tur e can b e interpreted a s a circle with a finite set of p oints on it. Definition 2.1. Let R ∈ R > 0 be a p os itiv e real n umber. A cyclic infr ast ru c- tur e ( X, d ) of cir cumfer enc e R is a non-empty finite set X with a n injective map d : X → R / R Z , called the distanc e function. Definition 2. 2. W e say that a cyclic infrastructure ( X , d ) of circumference R is discr ete if R ∈ Z and d ( X ) ⊆ Z /R Z . One can interpret finite cyclic g roups as discrete cyclic infr a structures as follows: Let G = h g i be a finite cyclic gr oup o f order m and d : G → Z /m Z b e the discr ete lo garithm map 1 (to the base g ), i.e. w e hav e g d ( h ) = h for every h ∈ h g i . By 1 The discrete logarithm of an elemen t h ∈ h g i is sometimes, in particular in Elementa ry Number Theory , also called the index of h with resp ect to g . CYCLIC INFRASTR UCTURES AND POHLIG-HELLMAN 3 int erpreting Z / m Z a s a subset of R / m Z , we get that ( G, d ) is a discr ete cyclic infrastructure of cir cumference m . An infra structure has tw o op erations, namely ba b y steps and g iant steps. F or their definition, we need the following notatio n: Definition 2.3. Let R ∈ R > 0 and let x, y ∈ R /R Z . W r ite x = ˆ x + R Z and y = ˆ y + R Z with ˆ x, ˆ y ∈ R such that ˆ x ≤ ˆ y < ˆ x + R . Define [ x, y ] := { t + R Z | t ∈ R , ˆ x ≤ t ≤ ˆ y } . If one int erprets R /R Z a s a circle with circumference R , and x a nd y a s points on this circle, the set [ x, y ] ca n b e interpreted a s the p oints on the circle which lie on the arc b eginning at x and ending at y . Now we ca n define baby steps and gia n t steps. W e will exclude the ca se | X | = 1, as in this cas e the infrastructure is trivial a nd not of pra ctical interest. Prop ositio n 1 . L et ( X, d ) b e a cyclic infr astructur e of ci r cumfer enc e R . Assume that | X | > 1 . (a) Then ther e is a unique bije ctive fixe d p oint fr e e map bs : X → X such tha t for every x ∈ X , we have [ d ( x ) , d (bs( x ))] ∩ d ( X ) = { d ( x ) , d (bs( x )) } . This map is c al le d baby step map. (b) Mor e over, ther e is a un ique map g s : X × X → X such tha t for every x, y ∈ X , we ha ve [ d ( x ) + d ( y ) , d (gs( x, y ))] ∩ d ( X ) = { d (gs( x, y )) } . This map is c al le d g ia nt step map. Let G = h g i be a finite cyclic group of order n > 1 and let d : G → Z /n Z be the discrete logar ithm map. Then, for the cyclic infrastructure ( G, d ), we hav e bs( h ) = g h and gs( h, h ′ ) = hh ′ for all h, h ′ ∈ G . Applying d , this tra nslates to d (bs( h )) = d ( h ) + 1 a nd d (gs( h, h ′ )) = d ( h ) + d ( h ′ ). This shows that baby and giant steps in arbitra r y infrastructures generaliz e the g roup op eration of a finite cyclic group. In the ca s e of finite cyc lic groups, both baby steps and gian t steps are basically the same op era tion. In arbitrary infrastructures, this is not the ca se, as in general there is no ele ment x ∈ X with gs( x, y ) = bs( y ) for all y ∈ X . In g eneral, cyclic infrastructures b ehav e similar to cyclic groups, with the main difference b eing that the giant step op e r ation is not nece ssarily asso cia tive, but “almost” asso cia tive in the sense that d (gs( x, y )) ≈ d ( x ) + d ( y ) . Here, “ ≈ ” for elemen ts in R /R Z means that both sides hav e representativ es in R which are re latively close to each other. W e want to clo se this section by showing how to o btain discrete cyclic infrastruc- tures from certain global function fields. Let F q be a finite field with q elements and K = F q ( x, y ) a finite se parable e xtension of F q ( x ), x tra nscendental ov e r F q , suc h that F q is rela tively algebraically closed in K . Let O be the integral closure of F q [ x ] in K , and a ssume that the degree v aluation of F q ( x ) has exactly tw o extensions to K ; these are the infinite plac es p 1 and p 2 of K . Let ν i : K → Z ∪ { ∞} b e the normalized v aluation as so ciated to p i , i = 1 , 2. 4 FELIX FONTEIN Now, by Dirichlet’s Unit Theore m for function fields [16, p. 299 , Theo rem 9.5 ], O ∗ = h ε i ⊕ F ∗ q for some ε ∈ O ∗ \ F ∗ q ; without loss of g enerality , let R := − ν 1 ( ε ) > 0 . Assume that at le ast one of the infini te places has degree one . 2 If a, b ∈ K ∗ are tw o elements, then the principal fra ctional ideals O a and O b are equal if, and only if, a b ∈ O ∗ . Therefor e, if PId( O ) denotes the s et of non-zero principal fractiona l ideals o f O , we have a well-defined map D : PId( O ) → Z /R Z , O 1 a 7→ − ν 1 ( a ) + R Z . W e say that a principal fractiona l ideal a ∈ PId( K ) is re duc e d if 1 ∈ a and, for every a ∈ a \ { 0 } with ν i ( a ) ≥ 0, i = 1 , 2, we must hav e a ∈ F ∗ q . Denote the set of all reduced principal fractional ideals by Red( K ). Now one ha s that d := D | Red( K ) is injective, 3 which, in particula r, s hows that X := Red( K ) is finite. Therefor e, ( X, d ) is a discre te cy clic infrastr uc tur e. In certain cases, namely real quadratic (i.e. real hyper elliptic) function fields [33, 32, 1 1] and for c ertain cubic function fields of unit r ank one [2 5, 22], we can efficiently compute baby steps, inv er se baby s teps and giant steps (i.e. given x, y ∈ X , we ca n co mpute bs( x ), bs − 1 ( x ) a nd g s( x, y )), and we can efficiently co mpute r elative di stanc es 4 d (gs( a , b )) − d ( a ) − d ( b ) and d (bs( a )) − d ( a ) for all a , b ∈ Red( K ). One further fundamental prop e r t y of these infrastructures is that computation of d is hard, i.e. given x ∈ X , it is har d to compute the absolute distanc e d ( x ) except for a few spe c ia l v a lues of x . Moreover, R itself do es not need to b e known. This allows to do cryptography in infras tructures, as for doing cr yptography , one must b e able to efficiently compute certain ob jects (here: baby steps, giant steps and relative distances), while inv erse computations (here: computing absolute distances) must be hard. 3. Obt aining cyclic groups from discrete cyclic infrastr uctures Our aim is to embed a cyclic infrastr ucture into a o ne-dimensional torus and to describ e ar ithmetic on the tor us using the arithmetic of the infrastructure, i.e. by using giant a nd baby steps. Mo re precisely , we embed the infrastructure into R /R Z or Z /R Z by adding the mis s ing elements that ar e not in the infrastructure. One wa y to describ e th ese missing elements are f -repr esentations. In the num ber field cas e , another e m be dding and repr esentation has be e n first describ ed b y H. W. Lenstr a in [15]; a mor e g eneral and more mo dern a ppr oach can be found in [27]. 2 If one drops this assumption, one cannot show that one has ‘enough’ reduced ideals, which mak es computation of bab y and gian t steps problematic. One has to use another de finition of reduced ideals, and define an equiv alence r elation on the set of all r educed ideals to make d injectiv e. 3 Let O 1 a , O 1 b ∈ Red ( K ) with ν 1 ( a ) = ν 1 ( b ) + kR , k ∈ Z . As O 1 a = O 1 aε − k and ν 1 ( aε − k ) = ν 1 ( b ), we assume k = 0 without loss of generalit y . Now b a ∈ O 1 a and ν 1 ( b a ) = 0. If ν 2 ( b a ) ≥ 0, then we must hav e b a ∈ F ∗ q as O 1 a is reduced, whence O 1 a = O 1 b . If ν 2 ( b a ) < 0, we ha ve ν 2 ( a b ) > 0, ν 1 ( a b ) = 0 and a b ∈ O 1 b , con tradicting that a b ∈ F ∗ q as O 1 b is reduced. 4 F rom now on, we will in terpret these relative distances as real n umbers instead of elemen ts of R /R Z , by i den tif ying them with their small est non-negativ e represen tativ e, i. e. we ident ify a + R Z with a i f 0 ≤ a < R . CYCLIC INFRASTR UCTURES AND POHLIG-HELLMAN 5 Let ( X , d ) b e a cyclic infrastructure o f circumference R . Definition 3.1. An f -r epr esentation is a pair ( x, f ), where x ∈ X and f ∈ [0 , R [ such that [ d ( x ) , d ( x ) + f ] ∩ d ( X ) = { d ( x ) } . Denote the set of f -repr esentations by Rep f ( X, d ). If ( X , d ) is discre te, define the subset Rep f discrete ( X, d ) := { ( x, f ) ∈ Re p f ( X, d ) | f ∈ Z } . Note that infra s tructures obta ined fro m function fields, as describ ed in Section 2, are discrete. One can also o btain infra structures from n umber fie lds of unit r ank one by a very similar metho d (for deta ils, see [6]), but these are never disc r ete (see Section 7). Definition 3.2. Define the (abso lute) distanc e of a pair ( x, f ) ∈ X × R by d ( x, f ) := d ( x ) + f ∈ R / R Z . Then we have the following prop osition: Prop ositio n 2. The map d | Rep f ( X,d ) : Rep f ( X, d ) → R /R Z , ( x, f ) 7→ d ( x, f ) = d ( x ) + f gives a bije ction b etwe en the set of f - r epr esentations and R /R Z . If ( X , d ) is dis- cr ete, this re stricts to a bije ction d | Rep f discrete ( X,d ) : Rep f discrete ( X, d ) → Z /R Z . Remark 1. If ( x, f ) ∈ X × R is arbitrary , there exists a un ique f -representation ( x ′ , f ′ ) such that d ( x, f ) = d ( x ′ , f ′ ). More precisely , it is the f -r epresentation ( x ′ , f ′ ) with d ( x, f ) = d ( x ′ , f ′ ) such that f ′ ≥ 0 is minimal. If | f | is small, ( x ′ , f ′ ) can be computed efficiently using ba b y steps b y starting with ( x, f ) and minimizing f : (1) While f is negative, replace ( x, f ) by (bs − 1 ( x ) , f + ∆), where ∆ := d ( x ) − d (bs − 1 ( x )) ∈ [0 , R [. (2) Compute x ′′ := bs( x ) and ∆ ′ := d ( x ′′ ) − d ( x ) ∈ [0 , R [. (3) If ∆ ′ > f , then ( x, f ) is a n f -repr esentation and we are done. (4) Otherwise, replace ( x, f ) by ( x ′′ , f − ∆ ′ ) and contin ue with step (2). One quickly s ees that a ll op erations do not mo dify the distance d ( x, f ). In ca se ( X, d ) is discrete, one needs a t most | f | (inv er se) baby step c omputations. Using this remark, we get the following prop osition: Prop ositio n 3. If ( x, f ) and ( x ′ , f ′ ) ar e f -r epr esentations, c onsider the tu ple (gs( x, x ′ ) , f + f ′ − ( d (gs( x, x ′ )) − d ( x ) − d ( x ′ ))) . By the pr evious r emark, it c orr esp onds to a unique f -r epr esentation ( x ′′ , f ′′ ) . If we define ( x, f ) ◦ ( x ′ , f ′ ) := ( x ′′ , f ′′ ) , we get that (Rep f ( X, d ) , ◦ ) is a gr oup and d | Rep f ( X,d ) : (Rep f ( X, d ) , ◦ ) → ( R /R Z , + ) 6 FELIX FONTEIN is a gro up isomorphism. If ( X , d ) is discr ete, we get that (Rep f discrete ( X, d ) , ◦ ) is a sub gr oup of Rep f ( X, d ) and that d | Rep f discrete ( X,d ) : (Rep f discrete ( X, d ) , ◦ ) → ( Z /R Z , +) is a gr oup isomorphi sm. Th e r elationships b etwe en these structur es ar e describ e d in t he fol lo wing diagr am: X × R % d   Rep f ( X, d ) d | Rep f ( X,d ) ∼ =   % Rep f discrete ( X, d ) d | Rep f discrete ( X,d ) ∼ =   R /R Z R /R Z % Z /R Z Therefore, if we are able to effectiv ely compute bs, bs − 1 and gs and relative distances for an infrastructure ( X , d ), we can efficiently c o mpute in a group iso - morphic to R /R Z or Z /R Z , even if R is unknown and witho ut the need to ev aluate the function d f or gener al e lemen ts of X . More precisely: Corollary 1. L et ( X, d ) b e an infr astruct ur e su ch that bs , bs − 1 and gs ar e effi- ciently c omputable, to gether with the r elative distanc es. L et d min := min { d (bs( x )) − d ( x ) | x ∈ X } and d max := max { d (bs( x )) − d ( x ) | x ∈ X } . Then one gr oup op er ation in Rep f ( X, d ) c an b e c omput e d using one g s c omput ation and at most  2 d max d min  c omputations of bs or at m ost  d max d min  c omputations of bs − 1 . Pr o of. Given ( x, f ) , ( x ′ , f ′ ) ∈ Rep f ( X, f ), one first computes ( x ′′ , f ′′ ) b y x ′′ := gs( x, x ′ ) and f ′′ := f + f ′ + ( d ( x ) + d ( x ′ ) − d ( x ′′ )); then d ( x ′′ , f ′′ ) = d ( x, f ) + d ( x ′ , f ′ ). As, by definition of the giant step function, − d max < d ( x ) + d ( x ′ ) − d ( x ′′ ) ≤ 0, w e hav e − d max < f ′′ < 2 d max . When replacing ( x ′′ , f ′′ ) by (bs( x ′′ ) , f ′′ − ( d (bs( x ′′ )) − d ( x ′′ ))) res p. (bs − 1 ( x ′′ ) , f ′′ + ( d ( x ′′ ) − d (bs − 1 ( x ′′ )))), we hav e that f ′′ decreases resp. increases at least by d min . Hence, we can do at most  2 d max d min  baby steps resp.  d max d min  inv erse baby s teps befor e f ′′ gets negative resp. p ositive.  If ( X , d ) is a discrete infrastructure , d min ≥ 1. If ( X , d ) is obtained from a function field a s describ ed at the end of Section 2, it is an easy application of the Riemann-Ro ch Theorem [34, p. 28, T he o rem I.5 .15] to see tha t d max ≤ l g +de g p 2 deg p 1 m . This also shows that one sho uld order p 1 and p 2 such that deg p 1 ≥ deg p 2 . Note that this result is also v a lid if deg p i > 1 for both i . Remark 2. In case w e w ant to compute in Rep f ( X, d ) (whic h is, for example, necessary if ( X, d ) is not discrete), we need to work with (ar bitrary) r eal num be rs. As this is not p ossible on computers, one needs to approximate them using floating po in t num b ers. More details o n this c an b e found in [9] a nd [13]; there, such representations are ca lled CRIAD-representations re sp. ( f , p )-r epresentations. Finally , we w ant to note tha t in the case of real hyperelliptic function fields, a similar r epresentation has been used by S. Paulus and H.-G. R ¨ uc k in [19] to describ e the a rithmetic in the Jac obian. This, to gether with the discuss ion in [11], shows that in this cas e, our group Z /R Z is in fact the subgr oup of the Jaco bian which is generated by the diviso r clas s o f p 1 − p 2 . This is also true for no n-hyperelliptic function fields under the as sumption that deg p 1 = deg p 2 = 1. CYCLIC INFRASTR UCTURES AND POHLIG-HELLMAN 7 4. Pohlig-Hellman in groups Before explaining how to do Pohlig-Hellman in discr e te infra structures in Sec- tion 5, we want to reca ll the Pohlig-Hellman metho d for finite c yclic groups. Assume that w e have a finite cyclic gro up G = h g i of order m and an element h ∈ G . W e can consider the discr ete lo garithm pr oblem , which states that one wan ts to find some n ∈ N with g n = h. Note that n is unique mo dulo m . Assume that the prime facto rization m = t Y i =1 p e i i with distinct primes p 1 , . . . , p t and p ositive integers e 1 , . . . , e t ∈ N > 0 is known. T o compute n , note that b y th e Chinese Rema inder Theorem, G ∼ = Z /m Z ∼ = Z /p e 1 1 Z × · · · × Z /p e t t Z . Therefore, we can compute n mo dulo p e i i for every i and deploy the Chinese Re- mainder Theorem to r ecov er n mo dulo m . T o compute n mo d p e i i , we success ively compute n mo d p ℓ i , ℓ = 1 , . . . , e i , by con- sidering the discrete lo garithm problem  g m/p ℓ i  n m od p ℓ i = h m/p ℓ i , where n mo d p ℓ i is s ought. As we assume that we already know n mo d p ℓ − 1 i , we only hav e to solve the discrete log arithm pr oblem (1)  g m/p i  n ′ = h m/p ℓ i g − m/p ℓ i · ( n m od p ℓ − 1 i ) , where n ′ ∈ { 0 , . . . , p i − 1 } , to obtain n mod p ℓ i = ( n mod p ℓ − 1 i ) + n ′ p ℓ − 1 i . Assuming that we a re using a metho d for so lving discr ete lo g arithms for elemen ts of prime order p which needs O ( √ p ) gro up op erations (ac cording to [2 9], this is optimal if one assumes that G be haves like a generic gro up), the running time o f Pohlig-Hellman is O  t X i =1 e i max { √ p i , log m }  = O  t max i =1 ,...,t e i max { √ p i , log m }  group op erations. 5. Pohlig-Hellman in discrete infrastr uctures Assume that ( X , d ) is a discrete infras tructure of circumference R ∈ Z . W e hav e seen that this g ives rise to a finite set Rep f discrete ( X, d ) of R elements, which can b e equipp e d with the structure of a cyclic g roup. I n the following, we will wr ite this group additively , i.e. the group op era tion will b e + a nd instead o f exp onentiation, we will use s c a lar m ultiplication. W e further assume that R to gether with an element ( x, f ) ∈ Rep f discrete ( X, d ) is known where d ( x, f ) = d ( x ) + f is known and small. 5 Using baby steps and inv er se 5 W e call an element r ∈ R /R Z smal l if we can write r = ˆ r + R Z with ˆ r small. 8 FELIX FONTEIN baby steps, we c a n compute an f -repr esentation ( x ′ , f ′ ) with d ( x ′ , f ′ ) = 1 fro m this (compare Remark 1). Then w e hav e Re p f discrete ( X, d ) = h ( x ′ , f ′ ) i . In the group (Rep f discrete ( X, d ) , +) we can co ns ider the discr ete lo garithm pr oblem n · ( x ′ , f ′ ) = ( x ′′ , f ′′ ) , where ( x ′′ , f ′′ ) ∈ Rep f discrete ( X, d ) a nd n ∈ Z . In pa rticular, a s d ( x ′ , f ′ ) = 1 , we hav e that d ( x ′′ , f ′′ ) = n + R Z , whence solving the discrete loga rithm pr oblem for an element in X is e qu ivalent to co mputing a distance o f an element in X . As we c a n effectiv ely compute the gro up o p er a tion in Rep f discrete ( X, d ), we can employ any algorithm for computing discrete log arithms in groups to find n and, in pa rticular, a s we know the g r oup or der, we can employ the Pohlig-Hellman algorithm. Assume that the prime facto rization R = t Y i =1 p e i i with distinct pr imes p 1 , . . . , p t and p o sitive in tegers e 1 , . . . , e t ∈ N > 0 is known. W e hav e seen in Section 4 that in order to find n , we need to solve the discrete lo garithm problems (2) n ′ ·  R p i · ( x ′ , f ′ )  = R p ℓ i · ( x ′′ , f ′′ ) − ( n mo d p ℓ − 1 i ) ·  R p ℓ i · ( x ′ , f ′ )  for n ′ for i = 1 , . . . , t and ℓ = 1 , . . . , e i ; this is Equation (1) tra ns crib ed to our setting. Note that we know that the order of R p ℓ i · ( x ′ , f ′ ) divides p ℓ i , whence we have that − R p ℓ i · ( x ′ , f ′ ) = ( p ℓ i − 1) · R p ℓ i · ( x ′ , f ′ ). In particular , there is no need to compute inv erse s , if o ne rewrites Equation (2) as n ′ ·  R p i · ( x ′ , f ′ )  = R p ℓ i · ( x ′′ , f ′′ ) + ( n mo d p ℓ − 1 i ) · ( p ℓ i − 1) ·  R p ℓ i · ( x ′ , f ′ )  . As in Section 4, w e get that the r unning time of Pohlig-Hellman is O  t X i =1 e i max { √ p i , log R }  = O  t max i =1 ,...,t e i max { √ p i , log R }  group op erations in Rep f discrete ( X, d ). Remarks 1. (a) The Pohlig-Hellman method can b e parallelized: fo r computing n mo d p e i i , there is no k nowledge re q uired of n mo d p e j j for any j 6 = i . This reduces the running time to O  max i =1 ,...,t e i max { √ p i , log R }  group op era tions in Rep f discrete ( X, d ) when using t proce s sors. (b) Note that it s uffices to know an inte ger multiple R ′ of the cir cumference R a nd the factoriza tion R ′ = t ′ Y i =1 p ˆ e i i with t ′ ≥ t . In this case, we ha ve ˆ e i ≥ e i for each i ≤ t . If one applies Pohlig-Hellman with R ′ instead o f R , i.e. b y replacing the e i ’s by the ˆ e i ’s, CYCLIC INFRASTR UCTURES AND POHLIG-HELLMAN 9 the algorithm will r eturn the same v alue of n , as for ℓ > e i , the solution of Equation (2) will be n ′ = 0. The only disadv a n tage is that the running time will increa s e to O  t ′ max i =1 ,...,t ˆ e i max { √ p i , log R }  group op era tions. An alternative is to first try to find the e i ’s from the ˆ e i ’s. F or that, one computes R ′ p i · ( x ′ , f ′ ) for eac h i ; if this equals the iden tit y in Rep f discrete ( X, d ), we have ˆ e i > e i . In that case, w e can decr ease ˆ e i by o ne, i.e. replace R ′ by R ′ p i , and try a g ain. (c) O ne can also deploy the Pohlig-Hellman metho d if d ( x ′ , f ′ ) 6 = 1. In case no n ′ is found fo r one instance o f Equatio n (2), we hav e ( x ′′ , f ′′ ) 6∈ h ( x ′ , f ′ ) i . If we hav e d ( x ′ , f ′ ) 6 = 1 , it is enough to know an integer multiple of R gcd( ℓ,R ) , where ℓ ∈ Z is an y integer with ℓ + R Z = d ( x ′ , f ′ ), as R gcd( ℓ,R ) is the order of ( x ′ , f ′ ) in Rep f discrete ( X, d ). 6. Testing f or smooth circumference With res pect to the result fr om last sectio n, it is desir able to chec k whether a given discrete cyclic infrastr ucture ( X, d ) with circumference R satisfies that R is B -s moo th, i.e. that all pr ime divis ors of R are ≤ B , for some integer B ∈ N . In practice, in particular when using a dis crete cyclic infr astructure for cryptogr aphic reasons , it can happ en tha t R is not known. In this s ection, w e pres en t an algorithm which still a llows to check whether R is B -smooth. (Also s e e the discussio n following Question 1 in Section 8, where the s mo o thness of the regulator of a ra ndomly chosen function field is disc us sed.) F or this, w e ma ke the following requirements: (1) w e know some ( x, f ) ∈ Rep f discrete ( X, d ) with d ( x , f ) = 1 ; (2) w e know an upper b ound R ′ for R ; (3) for every ( x ′ , f ′ ) ∈ Rep f discrete ( X, d ), we ca n efficiently chec k whether d ( x ′ , f ′ ) = 0, i.e. whether ( x ′ , f ′ ) is the identit y in Rep f discrete ( X, d ). F or discrete c y clic infra structures obtained from unit rank one function fields as describ ed in Section 2, these requirements are alw ays s a tisfied. Assume that K is such a function field with full field o f constants F q and genus g . Then we have that: (1) either ( x, f ) = ( O , 1) or ( x, f ) = (bs( O ) , 0) is an f - r epresentation with d ( x, f ) = 1; (2) an explicit upper b ound for R can b e given using Hasse -W eil, as shown b elow; and (3) d ( x ′ , f ′ ) = 0 if, and only if, x ′ = O and f ′ = 0. Both (1) and (3) follow fr om the fact that d ( O ) = 0 a nd fro m the definition of f - representations. F o r (2), let d = gcd(deg p 1 , deg p 2 ) and D := deg p 2 d p 1 − deg p 1 d p 2 ∈ Div( K ). Then, for n =   Pic 0 F q ( K )   , the divisor nD is pr incipal. Now, by Hasse- W eil, n ≤ (1 + √ q ) 2 g [16, p. 2 8 7, Corolla ry 6.3 a nd Remark 6 .4]. As nD 6 = 0 must be the divisor of a non- c onstant unit ε of O , w e obtain R ≤ | ν 1 ( ε ) | ≤ deg p 2 d (1 + √ q ) 2 g . 10 FELIX FONTEIN Note that this bo und is rather crude; fo r ex ample, for real qua dr atic function fields of Richaud-Degert type, the regulator is very sma ll. Our metho d is form ula ted in the following lemma: Lemma 6.1. L et p 1 , . . . , p t b e al l primes ≤ B , and define m := t Y i =1 p j log R ′ log p i k i , wher e R ′ satisfies R ′ ≥ R . Then R is B -smo oth if , and only if, d ( m · ( x, f )) = 0 . Pr o of. Firstly , note that R is B -smooth if, and o nly if, R | m , as R ≤ R ′ . Secondly , the cy c lic gro up Rep f discrete ( X, d ) is g enerated by ( x, f ) a nd has or der R , whence m · ( x, f ) is the identit y (i.e. has distance 0) if, and only if, m is an integer multiple of R .  Note that o ur metho d is very similar to the computations done in J. Pollard’s ( p − 1)-metho d [17, p. 9 3, Algo rithm 3 .14] or in H. W. Lens tra’s Elliptic Curve Metho d for F actorization [14]. Remark 3. T o ev aluate m · ( x, f ), one can pro ceed iter atively , a s it is us ually done in Pollard’s ( p − 1)- metho d and in Lenstra’s Elliptic Curve Metho d: Define ( x 0 , f 0 ) := ( x, f ) and ( x i , f i ) := p j log R ′ log p i k i ( x i − 1 , f i − 1 ) , 1 ≤ i ≤ t. Then m · ( x, f ) = ( x t , f t ). T o compute ( x i , f i ) fro m ( x i − 1 , f i − 1 ), one do es  log R ′ log p i  consecutive multiplications of ( x i − 1 , f i − 1 ) by p i . Therefore, to co mpute m · ( x, f ) using this metho d, one needs O  t j log R ′ log p i k log p i  = O ( t log R ′ ) group op erations in Rep f ( X, d ), a ssuming a squar e-and-multiply technique is use d for multiplication by p i . In the ca s e of infrastructures o btained from function fields, w e get: Corollary 2 . If ( X , d ) is a discr ete infr astruct ur e of cir cu m fer enc e R obtaine d fr om a fu n ction field (as in Se ct ion 2) of genus g with ful l field of c onstants F q , t hen one ne e ds at most O ( tg log q ) giant step and O ( tg 2 log q ) b aby st ep c omputations to che ck whether R is p t -smo oth, wher e p t is the t -t h prime numb er. 7. Pohlig-Hellman and infrastructures based on number fields In the case tha t K is a num b er field of unit ra nk one, i.e. with tw o plac e s a t infinit y , one ca n constr uct a cyclic infrastructure basically the same w ay as for function fields with t wo pla ces a t infinit y . This is, for example, describ ed in [6]. In the num b er field c ase, O is the integral closure of Z in K , and F ∗ q is repla ced by the ro ots of unit y in K . The pla c e s at infinit y co rresp ond to th e (non-conjuga te) embeddings K → C ; if the tw o embeddings are σ 1 and σ 2 , the condition that deg σ i = 1 for o ne i corr esp onds to σ i ( K ) ⊆ R . Moreo ver, the v a luations ν i are defined b y ν i ( x ) := − lo g | σ i ( x ) | , x ∈ K ∗ . Let ( X , d ) b e the resulting infrastructure. Note that if α ∈ K ∗ , then | σ i ( α ) | is algebraic ov er Q and, hence, ν i ( α ) is tra n- scendental over Q by Lindemann’s Theo rem if ν i ( α ) 6 = 0. Therefor e, in par ticular, CYCLIC INFRASTR UCTURES AND POHLIG-HELLMAN 11 neither R nor any element of d ( X ), except 0, is a rational num b er, whence ( X , d ) is far from b eing dis crete. Let x ∈ O \ { 0 } . W e want to investigate when ν 1 ( x ) R ∈ Q happ ens. If R = ν 1 ( ε ) for ε ∈ O ∗ , we hav e that ν 1 ( x ) R = p q with p, q ∈ Z \ { 0 } implies | σ 1 ( x q /ε p ) | = 1. By [3, p. 285, (8)], w e m ust ha ve | σ 2 ( x q /ε p ) | = 1. Now, if O 1 x is reduced, this implies that x q ε p is a r o ot of unity , i.e. is equal to ± 1, i.e. we hav e that x q = ± ε p . But then, we hav e N K/ Q ( x ) q = N K/ Q ( x q ) = N K/ Q ( ± ε p ) = ± 1 , whence our a ssumption x ∈ O implies that x ∈ O ∗ . This is the main ing redient o f the following res ult: Prop ositio n 4 . If a ∈ Red( K ) , t hen ( a , 0) has finite or der in Rep f ( X, d ) if, and only if , a = O . Pr o of. If a = O , then ( a , 0 ) is the iden tit y of Rep f ( X, d ). F or the other dir ection, write a = O 1 x with x ∈ O . As d : Rep f ( X, d ) → R /R Z , ( b , f ) 7→ d ( b ) + f = − ν 1 ( x ) + f + R Z is a n isomor phis m, ( a , 0) having finite order means that − ν 1 ( x ) R ∈ Q . By the discussio n b efore the lemma, this implies x ∈ O ∗ , whence a = O 1 x = O .  As the Pohlig-Hellman metho d (or any other of the standar d discr ete log arithm problem so lvers) requires an elemen t of finite order (o f which a n integer mult iple has to b e known in the cas e of the Pohlig-Hellman metho d), w e cannot directly apply the Pohlig-Hellman metho d to ( a , 0 ) ∈ Rep f ( X, d ), but ha ve to find a p ositive r eal nu mber f ∈ R and an f -representation ( b , f ′ ) ∈ Rep f ( X, d ) with d ( a )+ f = d ( b ) + f ′ such that ( b , f ′ ) has finite order in Rep f ( X, d ). This o f cours e op ens the q uestion how to find such a n f , if o ne do es no t alr eady know d ( a ) and R . O b viously , if one knows d ( a ) in adv a nce, there is no need to a pply the Pohlig-Hellman metho d to compute d ( a ). Hence, one ha s to find f without this information, o r one has to a djust the Pohlig-Hellman metho d to circumv ent this problem. Finally , a s Lenstra use d a different dista nc e function in the case that K is a real q uadratic num b er field [15], we wan t to inv estigate whether with his distance function, a P ohlig -Hellman v ar iant is poss ible. Let K be a real quadratic n umber field and let σ b e the unique non-trivial automorphism of K . Assume that O 1 x ∈ Red( K ). Instead of using the distance − ν 1 ( x ) + R Z , Lens tra uses 1 2 ( ν 2 ( x ) − ν 1 ( x )) + R Z = 1 2 log    σ 1 ( x ) σ 2 ( x )    + R Z . Then, ν 2 ( x ) − ν 1 ( x ) 2 R = p 2 q ∈ Q is equiv ale nt to σ 1 ( x q ) σ 1 ( σ ( x ) q ) = σ 1 ( x q ) σ 2 ( x q ) = ± σ 1 ( ε − p ) for p, q ∈ Z , q 6 = 0. Now σ ( x q ) = ± x q ε − p means that if p is a finite place of K , then q ν p ( x ) = q ν σ ( p ) ( x ). But this means that σ ( x ) x ∈ O ∗ , which implies ε − p/q ∈ O ∗ . Since O ∗ = h− 1 , ε i , it follows that p q ∈ Z . Without lo s s of generality , assume q = 1, i.e. w e have ν 2 ( x ) − ν 1 ( x ) 2 R = p 2 . Hence, ν 2 ( x ) − ν 1 ( x ) 2 + R Z can attain at most the v alues 0 + R Z and R 2 + R Z in R /R Z , whence by [15, p. 15 , Section 10 ] there are at most t wo f - representations ( O 1 x , 0) ∈ Rep f ( X, d ) of finite o rder, and the p ossible or ders a re one or tw o . By this arg umen tation, we hav e the same problems implementing Pohlig-Hellman using this distance function as in the c ase of the other dis tance function. 12 FELIX FONTEIN 8. Conclusion There exist several cryptosystems emplo y ing discrete cyclic infrastructures; for examples o f such, see [4, 23, 26, 13, 1 2, 10]. They are all based on the har dness of c omputing distances: if ( X , d ) is a cyclic infrastr ucture, thes e sy stems requir e that it is hard to compute d ( x ) for a g eneral x ∈ X . Note that this is equiv a lent to computing d ( x, 0) for ( x, 0) ∈ Rep f ( X, d ). Now assume that ( X , d ) is discrete with circ umfer ence R , and tha t an integer m ultiple R ′ of R is known. Mor eov er , assume that R ′ is smo oth, i.e. that R ′ factors with r elatively small prime factors. If baby , inverse baby and g iant steps and relativ e distances can b e computed efficie ntly , we can use the P o hlig-Hellman metho d describ ed in Sectio n 5 to c o mpute d ( x, 0) relatively fast. Hence, in order for cryptosys tems whic h are based o n the hardness of computing absolute dista nces in disc r ete cy clic infra structures to be safe, one has to use discr ete infrastructures such that (a) either it is very hard to compute a multiple R ′ of R which can b e factorized, (b) or R is not smo oth, i.e. has at least one v er y la rge prime factor . In (a), it may even b e enoug h that only a par t of R ′ can b e fa c torized, if this part is still a mu ltiple of R : assume that R ′ factors as R 1 R 2 , where R 1 is smo oth, i.e. has small pr ime factor s, but R 2 has only very lar ge prime factors. Then it still might b e that R 2 is not needed for computing d ( x ): one computes R 1 · ( O , 1), and if it equals ( O , 0), one ca n take R 1 instead of R . If one knows that R is smo oth, R will be a divisor of R 1 and we will have R 1 · ( O , 1) = ( O , 0). T o avoid the p ossibility that the Pohlig-Hellman method can b e used, one has to use function fields whose regulator is not B -smo o th for a “large enough” B . A na ¨ ıve wa y to find such function fields is to ra ndomly pick a function field (with t wo place s at infinity , one o f them o f degree one) a nd to a pply the alg orithm from Section 6 to check whether the reg ulator is B - smo oth; this pro cedure is rep eated un til a sufficient curve is fo und. This leads to s everal imp ortant ques tio ns: (1) Ho w s mo o th is the reg ulator of an av era ge function field with tw o plac e s a t infinit y , one of them of deg r ee o ne? In [2 6, Section 6.1 ], R. Scheidler, A. Stein and H. C. Williams apply th e heuristic arguments of H. Cohen and H. W. Lenstr a to real hyper elliptic function fields. They reason that the o dd part of the idea l class gr oup Pic( O ) of O in the real hyperelliptic function field ca se is sma ll with high proba bilit y . As R · | Pic( O ) | =   Pic 0 F q ( K )   , and   Pic 0 F q ( K )   ∈ [( √ q − 1 ) 2 g , ( √ q + 1) 2 g ], this s hows that R is large with high probability . Mor e imp or tant ly , the smo othness of R is more or les s equiv alent to the smo othness of   Pic 0 F q ( K )   under the a ssumption of these heuris tics. An equiv ale nt to the Cohen- L enstra heuris tics for quadra tic num b er fields is the heuristics by E. F riedman and L. C. W ashington [8] for quadr atic function fields. The main diff erence to the n umber field case is that for function fields, these hav e bee n proven (in a slightly mo dified version) by J. D. Ach ter [1] in certain cases. In our ca se, an older result by J. D. Ach ter and J. Holden [2] alre ady gives sufficient information. Let ℓ b e a prime w hich is coprime to q . Then, by [2, Lemma 3.3 ], the propo r tion of rea l hyper elliptic function fields K o f genus g ov er F q for whic h ℓ ∤   Pic 0 F q ( K )   is 1 − ℓ ℓ 2 − 1 + O (1 /ℓ 3 ) if ℓ ≡ 1 (mo d q ) and 1 − 1 ℓ − 1 + O (1 /ℓ 3 ) if ℓ 6≡ 1 CYCLIC INFRASTR UCTURES AND POHLIG-HELLMAN 13 (mo d q ). This is slightly less than the probability that a random natura l num b er in the interv al [( √ q − 1) 2 g , ( √ q +1) 2 g ] is not divisible by ℓ , which is approximately 1 − 1 ℓ . Therefore, one exp ects that R is B -smo oth with a slig h tly higher probability than that a random natura l num b er in the in terv al [( √ q − 1) 2 g , ( √ q + 1) 2 g ] is B -smoo th, which is r ather low for B ≪ q g . A mor e straig h tforward approa ch to the problem of finding function fields who se regulator is not B -smoo th w ould b e to a sk the following ques tion: (2) Can o ne efficiently c o nstruct function fields with t wo places at infinity , o ne o f them of degree one, such tha t the r egulator is known to hav e a very large prime factor? More generally , one can also ask the follo wing question: (3) Giv en an arbitrary p ositive integer R , can one efficiently co nstruct a function field with t wo places at infinity , one of them of degree one, which has r egula- tor R , or R · ℓ with ℓ ∈ N sma ll? In the ca se o f real elliptic function fields, this is bas ically equiv a lent to finding an elliptic curve tog ether with a ratio na l p oint o f o rder R , as it is explained in [3 1]: if E is a n elliptic curve over F q with the p oint ∞ at infinity , and if P ∈ E ( F q ) \ {∞} , one can tra nsform the equation of E such that one obtains a function field with tw o places a t infinity , which corre s po nd to the tw o p oints P and ∞ of E . Mo reov e r , the regulator of this new function field is exactly the order of P , and the r e duced principal ideals corresp ond to the multiples of P . F o r hyper elliptic function fields, one has a similar corresp ondence; see [19]. Currently , elliptic or h yp erelliptic curves (or, more precisely , their imag inary function field counterparts K ) with a spe c ific num b er of p oints (i.e. elements in Pic 0 F q ( K )) are usually constructed using complex multip lication, or by cho osing curves from very sp ecial families of curves (see, for example, [7]). It is curr ent ly not known whether there ar e sp ecial attacks for these classes o f curves. A fina l question a rises from the fact tha t there are also pr op osals for cyclic infrastructure based cry pto graphy for infrastructures obtained from n um b er fields (for examples, see [5 , 23, 13, 12]). In the previous section, we ha ve seen that the Pohlig-Hellman method ca nnot b e applied in the num b er field cas e in its cur rent state. Therefor e, one can ask the f ollowing: (4) Can a simila r metho d b e a pplied to cyclic infrastructures obta ined from num b er fields, or g enerally to non-discr e te cy clic infrastructures? So far, the a uthor is not aw a r e of a n y idea of whether this question ca n be answered po sitively . Ackno wledgments I would like to thank Renate Scheidler for the sugges tion to co ns ider the Pohlig- Hellman metho d for infrastr uc tur es, Michael J. J acobson, Jr. for po in ting me to H. W. Lenstra’s pa per and Andr eas Stein, J oachim Rosenthal, Jeffr ey D. Ach ter and the a nonymous referees for their v aluable co mmen ts and suggestions . Mor e - ov er , I would like to thank the Institut f ¨ ur Mathematik at the Car l von Ossietzky Univ ersit¨ a t O ldenb urg for their hospitalit y dur ing m y stay . 14 FELIX FONTEIN References [1] J. D. Ach ter, The distribution of class gr oups of function fields , J. Pur e Appl. Algebra, 204 (2006), 316–333. [2] J. D. Ach ter and J. Holden, Notes on an analo gue of the F ontaine-Mazur c onje ctur e , J. Th ´ eor. Nombres Bordeaux, 15 (2003), 627–637. [3] H. App elgate and H. Oni s hi, Perio dic e xp ansion of mo dules and its rela tion to units , J. Number Theory , 15 (1982), 283–294. [4] I. Biehl, J. A. Buchmann and C. Thiel, Crypto gra phic pr oto c ols b ase d on discr ete lo garithms in r e al-quadr atic or ders , in “Adv ances i n Cryptology—CR YPTO ’ 94” (ed. Y. Desmedt), Springer, (1994), 56–60. [5] J. A. Buchmann and H. C. Williams , A key exchange system b ase d on re al quadr atic fields (extende d abstra ct) , in “Adv ances in cryptology—CR YPTO ’ 89 (Sant a Barbara, CA, 1989),” Springer, (1990), 335–343. [6] J. A. Buc hmann and H. C. Williams, O n the i nfr astructur e of t he princip al ide al class of an algebr aic numb er field of unit r ank one , M ath. Comp., 50 (1988), 569–579. [7] H. C ohen, G. F r ey , R. Av anzi, C. Do che , T. Lange, K. Nguy en and F. V ercauteren, “Hand- bo ok of Elli ptic and H yp erelli ptic Curve Cryptograph y ,” Chapman & Hall/CRC, 2005. [8] E. F riedman and L. C. W ashington, On the distri b ution of divisor class gr oups of curves over finite fields , i n “Theorie des N ombres, Pro c. In t. Number Theory Conf. Lav al, 1987”, W alter de Gruyter, (1989), 227–239. [9] D. H ¨ uhnlein and S. Pa ulus, On the implementation of cry ptosystems b ase d on r e al q uadr atic numb er fields (ex t ende d abstr act) , in “Selected Ar eas in Cryptograph y (W aterloo, ON, 2000)”, Springer, (2001), 288–302. [10] M . J. Jacobson, R. Sc heidler and A . Stein, Crypto gr aphic pr oto c ols on r e al hyp er el liptic curves , Adv. Math. Commun., 1 (2007), 197–221. [11] M . J. Jacobson, R. Sc heidl er and A . Stein, F ast arithmetic on hyp er el liptic curves via c ontin- ue d fr action exp ansions , in “Adv ances i n Coding Theory and C r yptograph y” (eds. T . Shask a, W.C. Huffman, D. Jo yner and V. Ustimenko ), W orld Scientific Publi shing Co. Pte. Ltd., 3 (2007), 201–245. [12] M . J. Jacobson, R. Sche idler and H. C. Willi ams, An impr ove d r ea l-quadr atic-field-ba se d key exchange pr o ce dur e , J. Cryptology , 19 (2006), 211–239. [13] M . J. Jacobson, R. Scheidler and H. C. Wil liams, The e ffi ciency and se curit y of a r e al quadr atic field b ase d key exchange pr oto c ol , in “Publi c- k ey Cryptograph y and Computation al Number Theory (W arsaw, 2000),” W alter de Gruyter, (2001), 89–112. [14] H . W. Lenstra, F actoring int e gers with el liptic curves , Ann. of Math. (2), 126 (1987), 649– 673. [15] H . W. Lenstra, On the co mputation of re gulators a nd class numb ers of quad r atic fields , in “Journ ´ ees A rithm´ etiques 1980 (Exeter, 13th–1 9th April 1980),” Cam bridge Uni versity Press, (1982), 123–150. [16] D . Lorenzini, “An In vitation to Ari thmetic Geometry ,” American M athematical So ciety , Providen ce, RI, 1996. [17] A . J. Menezes, P . v an Oorschot and S. A. V anstone , “Handb ook of Applied Cryptograph y , ” CRC Pr ess, Bo ca Raton, FL, 1997. [18] V . M ¨ ull er, S. V anstone and R. Zucc herato, Discr ete lo garithm b ase d cryptosystems in qua- dr atic function fields of char acteristic 2 , D es. Co des Cryptogr., 14 (1998), 159–178. [19] S. Paulus and H .-G. R ¨ uck, R e al and imaginary quadr atic r epr esentations of hyp er el liptic function fields , Math. Comp., 68 (1999), 1233–1241. [20] S. C . Pohlig and M . E. H ellman, An impr ove d algorithm for co mputing lo g arithms over GF ( p ) and its cry pto gr aphic signific anc e , IEEE T rans. Infor m. Theory , 24 (1978), 106–110. [21] M . I. Rosen, “Number Theory i n F unct ion Fields,” Springer, New Y ork, 2002. [22] R . Scheidler, Ide al arithmetic and infr astructur e in pur ely c ubic function fields , J. Th´ eor. Nombres Bor deaux, 13 (2001), 609–631. [23] R . Sch eidler, J. A. Buchmann and H . C. Will iams, A key -exchange pr oto c ol using r ea l qua- dr atic fields , J. Cryptology , 7 (1994), 171–199. [24] R . Sc heidler and A. Stein, Class numb er appr oximation in cubic funct ion fields , Contrib. Discrete Math., 2 (2007), 107–132. CYCLIC INFRASTR UCTURES AND POHLIG-HELLMAN 15 [25] R . Sc heidler an d A . Stein, Unit com putation in pu r ely cubi c function fields of unit r ank 1 (extende d abstr act) , in “Pro ceedings of the Third Algorithmic Number Theory Symposi um ANTS-I II” (ed. J. Buhler), Spr inger, (1998), 592–606. [26] R . Sche idler, A. Stein and H . C. Wil liams, Key- exchange in r e al quadr atic c ongruenc e func- tion fields , Des. Co des Cr yptogr., 7 (1996), 153–174. [27] R . Schoof, Computing Ar akelov class gr oups , in “Surve ys in Algori thmi c Number Theory ,” Camb ridge Universit y Pr ess, (2008), 447–495. [28] D . Shanks, The infr astructur e of a r e al quadr atic field and its applic ations , in “Pro ceedings of the Number Theory Conference (Univ. Colorado, Boulder, Colo., 1972)”, Univ. Colorado, (1972), 217–224. [29] V . Shoup, L ower b ounds for discr ete lo garithms and r elate d pr oblems , in “Adv ances in Cryptology—EUROCR YPT ’97” (ed. W. F um y), Spr i nger, (1997), 256–266. [30] A . Stein, “Baby step-gian t step-Verfahren in reellquadratischen Kongruenzfunktionen k¨ orpern mit Charakteristik ungleich 2,” M.Sc. thesis, Universit¨ at des Saarlandes in Saarbr ¨ uck en, 1992. [31] A . Stein, Equivalenc es b e twe en el liptic curves and r e al quadr atic c ongruenc e function fields , J. Th´ eor. Nombres Bordeaux, 9 (1997), 75–95. [32] A . Stein, Infr astructur e in r ea l quadr atic function fields , T ec hnical Repor t CORR 99-17, Departmen t of Combinatorics and Optimization, U ni v ersity of W aterloo, W ate rlo o, Ont ario, May 1999. [33] A . Stein and H . G. Zim m er, An algorithm for determining the r egula tor and t he fundamental unit of hyp er el liptic co ngruenc e f unct ion field , in “Pro ceedings of the 1991 In ternational Symposium on Symbolic and Algebraic Computation, ISSA C ’91”, Asso ciation for Computing Mac hinery , (1991), 183–184. [34] H . Stich tenoth, “Algebraic F unct ion Fi el ds and Co des,” Springer-V erlag, Berlin Heidelb erg, 1993.